[Samba] samba4 internal dns Server ddns for the reverse lookup Zone

Rowland Penny rowlandpenny at googlemail.com
Tue Aug 19 15:19:45 MDT 2014


I never found any other way to do it, you have to do it by a secure method
(kerberos) and that's how the script works. I'll come up with a howto and
send it to you tomorrow. Provided gmail is working properly again

Rowland


On 19 August 2014 21:56, Markus Roth <markusroth1983 at gmx.net> wrote:

> Hi Rowland,
>
> i think that's no problem to setup your howto with centos 7 :-) can i have
> the howto? But is it correct that i can't use a dhcp setup without the
> script?
>
> markus
>
> Gesendet: Dienstag, 19. August 2014 um 22:50 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
> lookup Zone
> On 19/08/14 21:27, Markus Roth wrote:
> > Hi Steve,
> >
> > thanks a lot :-) so in this case that i have a successfull configuration
> i would now implement an isc dhcp server under my centos 7 test
> environment. But how should i configure the dhcp server? I didn't find any
> howto. Only a skript from
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
> > But is that the only way? And when it is the only way how must i
> integrate this script in dhcp?
> Hi, I have been doing the updates with dhcp this way for over 18 months
> now, You need to add a user to do the updates, create a keytab for that
> user, turn off ddns updates from windows clients and then dhcp runs a
> script that via nsupdate, updates DNS. I could probably come up with a
> howto, but it would be for Debian, so you would have to Centos-ify it
> yourself.
>
> Rowland
>
> >
> > Kind regarts
> > Markus
> >
> > -----Ursprüngliche Nachricht-----
> > Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> Im Auftrag von steve
> > Gesendet: Montag, 18. August 2014 17:08
> > An: Markus Roth
> > Cc: samba at lists.samba.org
> > Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
> lookup Zone
> >
> > On Mon, 2014-08-18 at 16:28 +0200, Markus Roth wrote:
> >> Hi Steve,
> >>
> >> i have bind in Version 9.9.4-RedHat-9.9.4-14.el7.centos (Extended
> Support Version) under dentos7. I see the update messages without
> configuring a log-leve in var/log/messages.
> >> ok so yu mean i should use always dhcp instead of static ips for a
> clean ddns update and logs?
> >> when i changed the ip-adress of my client1 from 192.168.178.99 to
> 192.168.178.98 machine with windows 7 and analyse the dns entries with the
> windows remote tools he has updated the client1 successfully.
> >> With the host command i get:
> >>
> >> [root at server1 ~]# host -t A client1.winnet.local client1.winnet.local
> >> has address 192.168.178.98
> >> [root at server1 ~]# host -t PTR 192.168.178.98
> >> 98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.
> >>
> >> so can i say that i have a correct configuration although i have the
> denied message? This says /var/log/messages for the ddns during the ip
> change:
> >>
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction
> >> on zone winnet.local Aug 18 16:18:08 server1 named[12388]: client
> >> 192.168.178.98#57564: update 'winnet.local/IN' denied Aug 18 16:18:08
> >> server1 named[12388]: samba_dlz: cancelling transaction on zone
> >> winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting
> >> transaction on zone winnet.local Aug 18 16:18:08 server1 named[12388]:
> >> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
> >> name=client1.winnet.local tcpaddr= type=AAAA
> >> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
> >> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
> >> type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
> >> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr=
> >> type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> >> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key
> >> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting
> >> rrset at 'client1.winnet.local' AAAA Aug 18 16:18:08 server1
> named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL:
> updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local'
> A Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key
> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> 'client1.winnet.local' A
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
> client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.98'
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset
> winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
> hostmaster.winnet.local. 12 900 600 86400 0'
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
> winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local.
> hostmaster.winnet.local. 13 900 600 86400 0'
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction
> >> on zone winnet.local Aug 18 16:18:08 server1 named[12388]: samba_dlz:
> >> starting transaction on zone 178.168.192.in-addr.arpa Aug 18 16:18:08
> >> server1 named[12388]: client 192.168.178.98#62909: update
> >> '178.168.192.in-addr.arpa/IN' denied Aug 18 16:18:08 server1
> >> named[12388]: samba_dlz: cancelling transaction on zone
> >> 178.168.192.in-addr.arpa Aug 18 16:18:08 server1 named[12388]:
> >> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa Aug
> >> 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
> >> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
> >> tcpaddr= type=PTR
> >> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of
> >> signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa
> >> tcpaddr= type=PTR
> >> key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> >> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key
> >> client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> deleting rrset at '98.178.168.192.in-addr.arpa' PTR Aug 18 16:18:08 server1
> named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL:
> updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at
> '98.178.168.192.in-addr.arpa' PTR
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added
> 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa. 1200 IN PTR
> client1.winnet.local.
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset
> 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA
> server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset
> 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA
> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
> >> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction
> >> on zone 178.168.192.in-addr.arpa
> >>
> > That looks as perfect as you're gonna get. And, it's working. Unless you
> want to try samba-technical or isc, I think this is the best you can
> expect, especially as it's working. Remember, the errors are written by
> coders and can at times have little bearing upon what is really happening.
> >
> > I'm no expert on network topography. We chose dhcp because we wanted
> less work. For file servers we always use fixed IP. I'm sure that someone
> will chip in with some more concrete explanations other than sheer
> laziness;) HTH, Steve
> >
> >>
> >>
> >> Gesendet: Montag, 18. August 2014 um 00:31 Uhr
> >> Von: steve <steve at steve-ss.com>
> >> An: "Markus Roth" <markusroth1983 at gmx.net>
> >> Cc: samba at lists.samba.org
> >> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse
> >> lookup Zone On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
> >>> Hi Steve,
> >>>
> >>> first thanks a lot for your help at this time :-)
> >>>
> >>>> Much easier:
> >>>> samba-tool dns zonedelete
> >>>> restart named
> >>>> samba-tool dns zonecreate
> >>>> restart sssd
> >>> ah okay good to know for future actions. So do i understand that right
> that my configuration is correct now and the denied messages with this
> configuration is ok? if its so than the denied messages are ok for me :-)
> But before i took my new configuration in productive use i better ask.
> >> On:
> >> named -version
> >> BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version) We do not get
> >> the denied messages, but we may have a lower debug level set. Sorry,
> >> can't confirm this as we've no test domain with that version.
> >> _Are_ the records being updated? Change the IP of a sssd client box
> >> (NOT the IP of the DC) and use host to check A and PTR.
> >>> I took static IPs only for testing. When this configuration is ok now
> i would create a test envirnoment with a dhcp-server.
> >>>
> >> ddns is handled fine by the sssd ad backend when the ip of a client is
> >> changed via dhcp.
> >>
> >>> For the rw access you said named needs rw access on the dns databases.
> >> Yes. the keytab for named.conf and the dns partitions.
> >>
> >>> So i've set rw access for the group named on the *.so-files and for
> the ldb and tdb-files in the /usr/samba/private structure. But i don't know
> if this is neccesary.
> >>>
> >>> Only for interest: When static IPs were used you would deaktivate the
> automatic ddns updates and add them manually with the samba-tool or with
> the windows remote administration kit? But i think it's much easier with
> ddns if some IPs will change, isn't it?
> >>>
> >>>> LOL, yeah. open source error messages at their best.
> >>> ......
> >>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: added
> 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR
> client1.winnet.local.
> >>> . . .then it does it!
> >>> ....
> >>>> Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed
> >>>> transaction on zone 178.168.192.in-addr.arpa
> >>>>
> >>>> That's the best you're gonna get. But why bother with static IPs?
> >>>> HTH,
> >>>> Steve
> >>>> Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
> >>>> Von: steve <steve at steve-ss.com>
> >>>> An: "Markus Roth" <markusroth1983 at gmx.net>
> >>>> Cc: samba at lists.samba.org
> >>>> Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns
> >>>> for the reverse lookup Zone On Sun, 2014-08-17 at 00:46 +0200, Markus
> Roth wrote:
> >>>>> Hi Steve,
> >>>>>
> >>>>> i don't know what i'm still doing wrong :-( I've create new vmware
> environments with centos 7 and windows 7. The hostname oft he centos 7 is
> server1 and the hostname from the windows 7 is client1. I've configured
> server1 as followed:
> >>>>>
> >>>>> 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> >>>>> 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> >>>>> 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line
> >>>>> --disable-isc-spnego 4. rebuild bind with rpmbuild -bb
> >>>>> ~/rpmbuild/SPECS/bind.spec 5. remove all previous bind* and
> >>>>> samba* installation files with yum remove 6. install
> >>>>> bind-license, bind-libs* and bind9* with rpm -ivh 7. download
> >>>>> samba 4.1.11 8. install dependencies for samba 4.1.11 with yum
> >>>>> install glibc glibc-devel gcc python* libacl-devel
> >>>>> krb5-workstation krb5-libs pam_krb5 8. install samba 4.1.11 with
> >>>>> ./configure --enable-debug --enable-selftest than make than make
> >>>>> install 9. configure samba 4.1.11 with samba-tool domain
> >>>>> provision --use-rfc2307 --interactive --function-level=2008_R2
> >>>>> 10. configure /etc/named.conf for samba4 11. chgrp named + rw
> >>>>> access for named on dns.keytab, dns_update_list, named.conf
> >>>>> under /usr/local/samba/private and the same on *.so files under
> >>>>> /usr/local/samba/lib/bind9. Next i activate the so file for
> >>>>> bind9 in the samba named.conf
> >>>> named needs rw on the DNS databases too.
> >>>>
> >>>>> 12. install sssd with yum install sssd 13. generatet he
> >>>>> krb5.keytab with my servername in big letters fort he principal
> >>>>> name # samba-tool domain exportkeytab /etc/krb5.keytab
> >>>>> --principal=SERVER1$
> >>>> The next 2 lines make no sense:
> >>>>> # chown root:root /etc/krb5.sssd.keytab # chmod 600
> >>>>> /etc/krb5.sssd.keytab
> >>>>> 14. generatet he sssd.conf with the same file permissions as the
> >>>>> krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite
> >>>>> the existing one 15. Start named, sssd and samba daemon 16.
> >>>>> generate reverse lookup zone with samba-tool dns zonecreate
> >>>>> server1.winnet.local 178.168.192.in-addr.arpa 17. Start the
> >>>>> client1 machine, give the server1 ip as the dns-server and
> >>>>> joined the client1 to the domain
> >>>>>
> >>>>> Here are my configuration files and the last log-file Do you see
> >>>>> any mistakes?
> >>>>>
> >>>>> Named.conf
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>> options {
> >>>>> listen-on port 53 { 127.0.0.1; 192.168.178.130; };
> >>>>> listen-on-v6 port 53 { ::1; };
> >>>>> directory "/var/named";
> >>>>> dump-file "/var/named/data/cache_dump.db"; statistics-file
> >>>>> "/var/named/data/named_stats.txt";
> >>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
> >>>>> allow-query { localhost; 192.168.178.0/24; }; allow-recursion {
> >>>>> localhost; 192.168.178.0/24; }; forwarders { 8.8.8.8; 8.8.4.4;
> >>>>> }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >>>>> recursion yes;
> >>>>> dnssec-enable yes;
> >>>>> dnssec-validation yes;
> >>>>> dnssec-lookaside auto;
> >>>>> /* Path to ISC DLV key */
> >>>>> bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory
> >>>>> "/var/named/dynamic"; pid-file "/run/named/named.pid";
> >>>>> session-keyfile "/run/named/session.key"; }; logging { channel
> >>>>> default_debug { file "data/named.run"; severity dynamic; }; };
> >>>>> zone "." IN { type hint; file "named.ca"; }; include
> >>>>> "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
> >>>>> include "/usr/local/samba/private/named.conf";
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>> Sssd.conf
> >>>>> [sssd]
> >>>>> services = nss, pam
> >>>>> config_file_version = 2
> >>>>> domains = winnet.local
> >>>>> [nss]
> >>>>> [pam]
> >>>>> [domain/winnet.local]
> >>>>> id_provider = ad
> >>>>> auth_provider = ad
> >>>>> access_provider = ad
> >>>>> ldap_id_mapping = False
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>> Smb.conf
> >>>>> # Global parameters
> >>>>> [global]
> >>>>> workgroup = WINNET
> >>>>> realm = WINNET.LOCAL
> >>>>> netbios name = SERVER1
> >>>>> server role = active directory domain controller server services
> >>>>> = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
> >>>>> ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon]
> >>>>> path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
> >>>>> read only = No
> >>>>> [sysvol]
> >>>>> path = /usr/local/samba/var/locks/sysvol read only = No
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>> Samba4 named.conf
> >>>>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support.
> >>>>> #
> >>>>> # This file should be included in your main BIND configuration
> >>>>> file # # For example with # include
> >>>>> "/usr/local/samba/private/named.conf";
> >>>>> #
> >>>>> # This configures dynamically loadable zones (DLZ) from AD
> >>>>> schema # Uncomment only single database line, depending on your
> >>>>> BIND version # dlz "AD DNS Zone" { # For BIND 9.8.0 # database
> >>>>> "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
> >>>>> # For BIND 9.9.0
> >>>>> database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
> >>>>> };
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>> Var/log/messages
> >>>>> Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from
> >>>>> unauthorised host 192.168.178.200 port 123 Aug 17 00:14:02
> >>>>> server1 named[11100]: samba_dlz: starting transaction on zone
> >>>>> winnet.local Aug 17 00:14:02 server1 named[11100]: client
> >>>>> 192.168.178.200#57474: update 'winnet.local/IN' denied Aug 17
> >>>>> 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction
> >>>>> on zone winnet.local Aug 17 00:14:02 server1 named[11100]:
> >>>>> samba_dlz: starting transaction on zone winnet.local Aug 17
> >>>>> 00:14:02 server1 named[11100]: samba_dlz: allowing update of
> >>>>> signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
> >>>>> tcpaddr= type=AAAA
> >>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
> >>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
> >>>>> tcpaddr= type=A
> >>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
> >>>>> of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local
> >>>>> tcpaddr= type=A
> >>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> >>>>> Aug 17 00:14:02 server1 named[11100]: client
> >>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone
> >>>>> 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key
> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> at 'client1.winnet.local' A Aug 17 00:14:02 server1 named[11100]:
> samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local.
> 1200 IN A 192.168.178.200'
> >>>>> Aug 17 00:14:02 server1 named[11100]: client
> >>>>> 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone
> 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A Aug 17
> 00:14:02 server1 named[11100]: samba_dlz: added rdataset
> client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
> >>>>> transaction on zone winnet.local Aug 17 00:14:02 server1
> >>>>> named[11100]: samba_dlz: starting transaction on zone
> >>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
> >>>>> client 192.168.178.200#59638: update
> >>>>> '178.168.192.in-addr.arpa/IN' denied Aug 17 00:14:02 server1
> >>>>> named[11100]: samba_dlz: cancelling transaction on zone
> >>>>> 178.168.192.in-addr.arpa Aug 17 00:14:02 server1 named[11100]:
> >>>>> samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
> >>>>> of signer=client1\$\@WINNET.LOCAL
> >>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
> >>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update
> >>>>> of signer=client1\$\@WINNET.LOCAL
> >>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
> >>>>> key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> >>>>> Aug 17 00:14:02 server1 named[11100]: client
> >>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE': deleting rrset at
> '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]:
> samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa
> '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> >>>>> Aug 17 00:14:02 server1 named[11100]: client
> >>>>> 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE': adding an RR at
> '200.178.168.192.in-addr.arpa' PTR Aug 17 00:14:02 server1 named[11100]:
> samba_dlz: added rdataset 200.178.168.192.in-addr.arpa
> '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> >>>>> Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed
> >>>>> transaction on zone 178.168.192.in-addr.arpa
> >>>>> ----------------------------------------------------------------
> >>>>> ----------------------------------------------------------------
> >>>>> --------------------------------------------
> >>>>>
> >>>> You must delete the reverse zone and recreate it as I outlined in
> >>>> my last message. Also, no feedback on the latter, so I have to
> >>>> guess that you have done it but it.
> >>>> HTH
> >>>>
> >>>>
> >>>>>
> >>>>> Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
> >>>>> Von: steve <steve at steve-ss.com>
> >>>>> An: "Markus Roth" <markusroth1983 at gmx.net>
> >>>>> Cc: samba at lists.samba.org
> >>>>> Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the
> >>>>> reverse lookup Zone On Sat, 2014-08-16 at 15:46 +0200, Markus Roth
> wrote:
> >>>>>> Hi Steve,
> >>>>>>
> >>>>>> update. I think nobody can say that i'm not creative :-) I've
> >>>>>> tried now ./samba-tool domain exportkeytab /etc/krb5.keytab
> >>>>>> without the --principal and change my sssd.conf back to:
> >>>>>>
> >>>>>> [sssd]
> >>>>>> services = nss, pam
> >>>>>> config_file_version = 2
> >>>>>> domains = winnet.local
> >>>>>> [nss]
> >>>>>> [pam]
> >>>>>> [domain/winnet.local]
> >>>>>> id_provider = ad
> >>>>>> access_provider = ad
> >>>>>>
> >>>>>> Now i get also the denied messages, but the logs now seems to be
> different:
> >>>>> Very close now. This should do it:
> >>>>>
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-[http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-]
> >>>>> stale-dns-records-with.html
> >>>>>
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting
> >>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
> >>>>>> named[14419]: samba_dlz: allowing update of
> >>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> >>>>>> tcpaddr=192.168.178.130 type=A
> >>>>>> key=2171273687.sig-server1.winnet.local/160/0
> >>>>>> Aug 16 15:40:03 server1 named[14419]: client
> >>>>>> 192.168.178.130#49475/key
> >>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> deleting rrset at 'server1.winnet.local' A Aug 16 15:40:03
> >>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
> >>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
> >>>>>> 192.168.178.130'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
> >>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
> >>>>>> server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added
> >>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
> server1.winnet.local.
> >>>>>> hostmaster.winnet.local. 5 900 600 86400 0'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
> >>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
> >>>>>> named[14419]: samba_dlz: starting transaction on zone
> >>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
> >>>>>> allowing update of signer=SERVER1\$\@WINNET.LOCAL
> >>>>>> name=server1.winnet.local
> >>>>>> tcpaddr=192.168.178.130 type=AAAA
> >>>>>> key=1458088344.sig-server1.winnet.local/160/0
> >>>>>> Aug 16 15:40:03 server1 named[14419]: client
> >>>>>> 192.168.178.130#60843/key
> >>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> deleting rrset at 'server1.winnet.local' AAAA Aug 16 15:40:03
> >>>>>> server1 named[14419]: samba_dlz: committed transaction on zone
> >>>>>> winnet.local Aug 16 15:40:03 server1 named[14419]: samba_dlz:
> >>>>>> starting transaction on zone winnet.local Aug 16 15:40:03
> >>>>>> server1 named[14419]: samba_dlz: allowing update of
> >>>>>> signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> >>>>>> tcpaddr=192.168.178.130 type=A
> >>>>>> key=2571247347.sig-server1.winnet.local/160/0
> >>>>>> Aug 16 15:40:03 server1 named[14419]: client
> >>>>>> 192.168.178.130#60497/key
> >>>>>> SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> adding an RR at 'server1.winnet.local' A Aug 16 15:40:03
> >>>>>> server1 named[14419]: samba_dlz: added rdataset
> >>>>>> server1.winnet.local 'server1.winnet.local. 3600 IN A
> >>>>>> 192.168.178.130'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted
> >>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
> >>>>>> server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: added
> >>>>>> rdataset winnet.local 'winnet.local. 3600 IN SOA
> server1.winnet.local.
> >>>>>> hostmaster.winnet.local. 6 900 600 86400 0'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
> >>>>>> transaction on zone winnet.local Aug 16 15:40:03 server1
> >>>>>> named[14419]: samba_dlz: starting transaction on zone
> >>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:03 server1 named[14419]:
> >>>>>> samba_dlz: allowing update of signer=SERVER1\$\@WINNET.LOCAL
> >>>>>> name=130.178.168.192.in-addr.arpa
> >>>>>> tcpaddr=192.168.178.130 type=PTR
> >>>>>> key=1615781577.sig-server1.winnet.local/160/0
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing
> >>>>>> update of signer=SERVER1\$\@WINNET.LOCAL
> >>>>>> name=130.178.168.192.in-addr.arpa
> >>>>>> tcpaddr=192.168.178.130 type=PTR
> >>>>>> key=1615781577.sig-server1.winnet.local/160/0
> >>>>>> Aug 16 15:40:03 server1 named[14419]: client
> >>>>>> 192.168.178.130#56401/key
> >>>>>> SERVER1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE':
> >>>>>> deleting rrset at '130.178.168.192.in-addr.arpa' PTR Aug 16
> >>>>>> 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> >>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
> >>>>>> 3600 IN PTR server1.winnet.local.'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: client
> >>>>>> 192.168.178.130#56401/key
> >>>>>> SERVER1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE':
> >>>>>> adding an RR at '130.178.168.192.in-addr.arpa' PTR Aug 16
> >>>>>> 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> >>>>>> 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa.
> >>>>>> 3600 IN PTR server1.winnet.local.'
> >>>>>> Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed
> >>>>>> transaction on zone 178.168.192.in-addr.arpa Aug 16 15:40:19
> >>>>>> server1 chronyd[831]: NTP packet received from unauthorised
> >>>>>> host 192.168.178.200 port 123 Aug 16 15:40:20 server1
> >>>>>> named[14419]: samba_dlz: starting transaction on zone
> >>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: client
> >>>>>> 192.168.178.200#53494: update 'winnet.local/IN' denied Aug 16
> >>>>>> 15:40:20 server1 named[14419]: samba_dlz: cancelling
> >>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
> >>>>>> named[14419]: samba_dlz: starting transaction on zone
> >>>>>> winnet.local Aug 16 15:40:20 server1 named[14419]: samba_dlz:
> >>>>>> allowing update of signer=client1\$\@WINNET.LOCAL
> >>>>>> name=client1.winnet.local tcpaddr= type=AAAA
> >>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> >>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> >>>>>> update of signer=client1\$\@WINNET.LOCAL
> >>>>>> name=client1.winnet.local tcpaddr= type=A
> >>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> >>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> >>>>>> update of signer=client1\$\@WINNET.LOCAL
> >>>>>> name=client1.winnet.local tcpaddr= type=A
> >>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> >>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
> >>>>>> 192.168.178.200#59384/key
> >>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> deleting rrset at 'client1.winnet.local' AAAA Aug 16 15:40:20
> >>>>>> server1 named[14419]: client 192.168.178.200#59384/key
> >>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> deleting rrset at 'client1.winnet.local' A Aug 16 15:40:20
> >>>>>> server1 named[14419]: samba_dlz: subtracted rdataset
> >>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
> >>>>>> 192.168.178.200'
> >>>>>> Aug 16 15:40:20 server1 named[14419]: client
> >>>>>> 192.168.178.200#59384/key
> >>>>>> client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE':
> >>>>>> adding an RR at 'client1.winnet.local' A Aug 16 15:40:20
> >>>>>> server1 named[14419]: samba_dlz: added rdataset
> >>>>>> client1.winnet.local 'client1.winnet.local. 1200 IN A
> >>>>>> 192.168.178.200'
> >>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
> >>>>>> transaction on zone winnet.local Aug 16 15:40:20 server1
> >>>>>> named[14419]: samba_dlz: starting transaction on zone
> >>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
> >>>>>> client 192.168.178.200#61402: update
> >>>>>> '178.168.192.in-addr.arpa/IN' denied Aug 16 15:40:20 server1
> >>>>>> named[14419]: samba_dlz: cancelling transaction on zone
> >>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
> >>>>>> samba_dlz: starting transaction on zone
> >>>>>> 178.168.192.in-addr.arpa Aug 16 15:40:20 server1 named[14419]:
> >>>>>> samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL
> >>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
> >>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> >>>>>> 0 Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing
> >>>>>> update of signer=client1\$\@WINNET.LOCAL
> >>>>>> name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR
> >>>>>> key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/
> >>>>>> 0 Aug 16 15:40:20 server1 named[14419]: client
> >>>>>> 192.168.178.200#54396/key
> >>>>>> client1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE':
> >>>>>> deleting rrset at '200.178.168.192.in-addr.arpa' PTR Aug 16
> >>>>>> 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> >>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
> >>>>>> 1200 IN PTR client1.winnet.local.'
> >>>>>> Aug 16 15:40:20 server1 named[14419]: client
> >>>>>> 192.168.178.200#54396/key
> >>>>>> client1\$\@WINNET.LOCAL: updating zone
> '178.168.192.in-addr.arpa/NONE':
> >>>>>> adding an RR at '200.178.168.192.in-addr.arpa' PTR Aug 16
> >>>>>> 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> >>>>>> 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa.
> >>>>>> 1200 IN PTR client1.winnet.local.'
> >>>>>> Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed
> >>>>>> transaction on zone 178.168.192.in-addr.arpa
> >>>>>>
> >>>>>> -----Ursprüngliche Nachricht-----
> >>>>>> Von: Markus Roth [mailto:markusroth1983 at gmx.net]
> >>>>>> Gesendet: Samstag, 16. August 2014 15:13
> >>>>>> An: 'steve'
> >>>>>> Cc: 'samba at lists.samba.org'
> >>>>>> Betreff: AW: [Samba] samba4 internal dns Server ddns for the
> >>>>>> reverse lookup Zone
> >>>>>>
> >>>>>> Hi Steve,
> >>>>>>
> >>>>>> I've tried the below domain exportkeytab, but when i do
> >>>>>> samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> the log says:
> >>>>>>
> >>>>>> ./samba-tool domain exportkeytab /etc/krb5.keytab
> >>>>>> --principal=WINNET$
> >>>>>> ERROR(runtime): uncaught exception - Key table entry not found
> >>>>>> File
> >>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/_
> >>>>>> _init__.py",
> >>>>>> line 175, in _run
> >>>>>> return self.run(*args, **kwargs) File
> >>>>>> "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/d
> >>>>>> omain.py",
> >>>>>> line 103, in run
> >>>>>> net.export_keytab(keytab=keytab, principal=principal)
> >>>>>>
> >>>>>> When i do the same with --principal=server1$ it does an
> >>>>>> export, but i get also the beginning denied messages. I also
> >>>>>> tried winnet$ or winnet.local$ but it gets the same erros above.
> >>>>>>
> >>>>>>
> >>>>>>> Hi
> >>>>>>> This is not using the sssd ad backend at all. It will not do
> >>>>>>> ddns updates,
> >>>>>> neither will it pull the correct id info from AD.
> >>>>>>
> >>>>>>> You were nearly there. Did you see my other post?
> >>>>>>> Just issue:
> >>>>>>> samba-tool domain exportkeytab /etc/krb5.keytab
> >>>>>>> --principal=WINNET$ and try
> >>>>>> with your original ad sssd config.
> >>>>>>
> >>>>>>> --
> >>>>>>> To unsubscribe from this list go to the following URL and
> >>>>>>> read the
> >>>>>>> Instructions:
> >>>>>>>
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.s
> >>>>>>>
> amba.org/mailman/options/samba][https://lists.samba.org/mailm[https://lists.samba.org/mailm]
> >>>>>>> an/options/samba[
> https://lists.samba.org/mailman/options/samb[https://lists.samba.org/mailman/options/samb]
> >>>>>>> a]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lis
> >>>>>>>
> ts.samba.org/mailman/options/samba][https://lists.samba.org/m[https://lists.samba.org/m]
> >>>>>>> ailman/options/samba[
> https://lists.samba.org/mailman/options/[https://lists.samba.org/mailman/options/]
> >>>>>>> samba]]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https
> :
> >>>>>>> //
> lists.samba.org/mailman/options/samba][https://lists.samba[https://lists.samba]
> .
> >>>>>>> org/mailman/options/samba[
> https://lists.samba.org/mailman/opt[https://lists.samba.org/mailman/opt]
> >>>>>>> ions/samba]][
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][ht
> >>>>>>> tps://
> lists.samba.org/mailman/options/samba][https://lists.sa[https://lists.sa]
> >>>>>>>
> mba.org/mailman/options/samba[https://lists.samba.org/mailman[https://lists.samba.org/mailman]
> >>>>>>> /options/samba]]]]
> >>>>>
> >>>>
> >>>
> >>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
> https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]
>


More information about the samba mailing list